← Back to VMware vSphere 8.0 vCenter Appliance Envoy Security Technical Implementation Guide

V-259165

CAT II (Medium)

The vCenter Envoy service must set a limit on remote connections.

Rule ID

SV-259165r960735_rule

STIG

VMware vSphere 8.0 vCenter Appliance Envoy Security Technical Implementation Guide

Version

V2R1

CCIs

CCI-000054

Discussion

Envoy client connections must be limited to preserve system resources and continue servicing connections without interruption. Without a limit set, the system would be vulnerable to a trivial denial-of-service attack where connections are created en masse and vCenter resources are entirely consumed. Envoy comes hard coded with a tested and supported value for "maxRemoteHttpsConnections" and "maxRemoteHttpConnections" that must be verified and maintained.

Check Content

At the command prompt, run the following commands:

# xmllint --xpath '/config/envoy/L4Filter/maxRemoteHttpsConnections/text()' /etc/vmware-rhttpproxy/config.xml
# xmllint --xpath '/config/envoy/L4Filter/maxRemoteHttpConnections/text()' /etc/vmware-rhttpproxy/config.xml

Example result:

2048

or

XPath set is empty

If the output is not "2048" or "XPath set it empty", this is a finding.

Note: If "XPath set is empty" is returned the default values are in effect and is 2048.

Fix Text

Navigate to and open:

/etc/vmware-rhttpproxy/config.xml

Locate the <config>/<envoy>/<L4Filter> block and configure it as follows:

<maxRemoteHttpsConnections>2048</maxRemoteHttpsConnections>
<maxRemoteHttpConnections>2048</maxRemoteHttpConnections>

Restart the service for changes to take effect.

# vmon-cli --restart rhttpproxy